Date: Wed, 27 Jul 2016 03:05:35 +0800 From: Julian Elischer <julian@freebsd.org> To: Michael Sierchio <kudzu@tenebras.com>, "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org> Subject: Re: ipfw divert filter for IPv4 geo-blocking Message-ID: <59d70c14-1524-8279-7b91-1620e2f688a7@freebsd.org> In-Reply-To: <CAHu1Y72JZzXTp_YGsFe31j79vi0TNBQCm%2BoPze=3QB6zf8G08g@mail.gmail.com> References: <61DFB3E2-6E34-4EEA-8AC6-70094CEACA72@cyclaero.com> <9d0a3ad8-a66a-c527-3906-3290b8d58476@rlwinm.de> <ffaad855-2a2e-6034-e9fe-5b685276a2b9@freebsd.org> <CAHu1Y72JZzXTp_YGsFe31j79vi0TNBQCm%2BoPze=3QB6zf8G08g@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 27/07/2016 1:40 AM, Michael Sierchio wrote:
> On Tue, Jul 26, 2016 at 9:26 AM, Julian Elischer <julian@freebsd.org> wrote:
>
> table 1 { DE, NL } -> 10000,
>>> { US, UK } -> 10100
>>> table 2 { CN, KO, TR } -> 20000
>>>
>> why multiple tables?
>> if you load the table at once you can assign a country code as the
>> tablearg for every run of addresses. all in one table.
>
> I mentioned that in my earlier response - but if the point is to block
> entire countries (or any collection of CIDR blocks, for that matter), it's
> sufficient to have a whitelist table and a blacklist table. The table arg
> could also be a skipto rule number, right? And you can do policy-based
> routing, with the table arg as a FIB number.
>
> Passing the packet to userland via divert sockets was a brilliant idea in
> 2003. natd was pretty much the first NAT mechanism to properly handle ICMP
> error responses, too.
2003? nahh we wrote it and divert in 96 :-)
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?59d70c14-1524-8279-7b91-1620e2f688a7>